NOTE: Please read the full article before proceeding with the configuration!

What is Two Factor Authentication

Two Factor Authentication (2FA) is a method that requires the input from two different sources for the authentication of a user on a system. Often these two factors are “something that you know” (your password), and “something that you have” (your smart-phone); Authentication now consists of confirming you know the combination of the username and password, and you have the smartphone that can generate a valid Time-based One-Time Password.

In contrast to a method which only requires input from one single source, e.g. the password, 2 Factor Authentication provides an extra level of protection, and the use of one-time passwords assures the credentials can not be replayed.

2 Factor Authentication (2FA) at Kolab Now

2FA at Kolab Now involves the password prompt and a Time-based One-Time Password (TOTP) algorithm. The preferred provider of the TOTP is FreeOTP; an free and open source app for smart-phones (https://freeotp.github.io/). It is available for iOS, Android and BlackBerry OS from your favorite app market.

2FA is enabled by logging in to the cockpit, finding the ACCOUNT tab and check the checkbox ‘2 Factor Authentication’.

User accounts that are configured to require 2FA at login will only be able to use the web client, and will be blocked at the IMAP, POP, ActiveSync, CalDAV, CardDAV and WebDAV level.

To disable 2FA (and enable other means of access), login to the cockpit, Find the ACCOUNT tab and uncheck the checkbox.

Logging in to Kolab Now with 2FA

When you log in to the Web Client, you are requested to first enter your username and password.

Upon submission, should a second factor be required for this account already, a new page will request the TOTP code.

Consult the FreeOTP app on your smart-phone and type in the 6 digit code presented.

Configuring 2FA for a Single User Account

Find the 2 Factor Authentication checkbox and check it. Do not forget to click UPDATE

Login to the Web Client, and go to Settings -> Multi-Factor Auth, and select Mobile app (TOTP) from the drop-down menu.

A QR code appears with a name field and a verification field.

Give the token a meaningful name, such as the device this TOTP is configured for and…

MAKE A SCREENSHOT OF THIS PAGE!

..before clicking SAVE

Open FreeOTP on the smart-phone, Press the little QR code icon in the top bar of the app, and fit the QR code into the given frame. FreeOTP will provide you a verification code that you enter in the verification code field.

NOTE: Applications like FreeOTP will prevent you from creating a screenshot on the smart-phone itself.

The TOTP token is now registered on the Kolab Now server, and 2FA is enabled for this user. The next time the user logs in, a TOTP code will be required.

Group Manager Accounts

A Group Manager is administering one or more user accounts through the HOSTING tab in the cockpit. When a Group Manager creates a new account, 2FA is not enforced. The Group Administrator will need to check the checkbox in the users profile, and the new user will need to go through the configuration.

Some older Group Manager Accounts has a specific admin user for administration, which is not a full user account (admin@yourdomain.tld can login to the cockpit, but not to the webmail). Such accounts can not configure authentication to require a 2nd factor for the admin account (“admin@yourdomain.tld”).

Tips & Tricks

Using 2FA can give the impression that the value of the password is “less than before”. This is not the case. Users should always strive to make passwords as secure as possible;

If the smart-phone is lost, the TOTP token generator is lost with it. To make sure that the token can be recreated, and prevent being locked out from the account, it is important to save a printed screenshot of the QR code off-line before entering the verification code during configuration. A good location for such a printed copy would be next to your passport, marriage license, birth certificate, and such other important documents.

An alternative approach to printing your primary TOTP QR code for off-line storage is to create a secondary TOTP, and store that one off-line instead.

User accounts that are configured to require 2FA at login will only be able to use the web client, and will be blocked at the IMAP, POP, ActiveSync, CalDAV, CardDAV and WebDAV level.

UPDATE: Since the writing of this article, the tool FreeOTP has ended maintenance. Until this article can be updated, Android users can use one of: